[Samba] Domain Member Server: Domain Users cannot access shares
Jason Secord via samba
I've run into a bit of trouble getting a new domain member server setup.
I've got three Ubuntu 14.04 64 bit VMs running the latest stable build of
Samba built from source acting as Domain Controllers. I've got a fourth
physical machine running Ubuntu 16.04 64 bit running the canonical
distribution samba (Version 4.3.9-Ubuntu) that I've configured as a Domain
Member Server providing file sharing for the domain. Shared directories
are stored on a RAID 1 array formatted ext4. Currently I can see and
access all shares using any account that is a member of the Domain Admins
group, and can alter Share Permissions and ACLs via the Security tab via
the Computer Management snap-in running on a Windows 7 workstation that is
joined to the domain. I've reset all ACLs and executed chmod g=rwx /mnt
and chgrp "DOMAIN\Domain Admins" /mnt and granted "Everyone" and "Domain
Users" Full Access in both the Share PErmissions and Security tabs. Any
attempt to view shares on the domain member server when logged in as a user
who is a member of the "Domain Users" group fails, I am prompted to enter
credentials, I do so and the are rejected. Domain Admins can both view all
shares and access their contents without a problem.
My smb.conf:
# Global parameters
[global]
workgroup = PHM
realm = PHM.PLYMOUTHHISTORY.ORG
netbios name = phmsrv01
security = ads
printing = CUPS
printcap name = /dev/null
encrypt passwords = yes
bind interfaces only = yes
interfaces = lo eno2
log file = /var/log/samba/samba.%m.log
log level = 2
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain PRIA
idmap config PHM:backend = ad
idmap config PHM:schema_mode = rfc2307
idmap config PHM:range = 10000-9999999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
# Enable extended ACL support
https://wiki.samba.org/index.php/Shares_wi
th_Windows_ACLs
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[home]
path = /mnt/md0/samba_shares/home
read only = no
admin users = @"PHM\Domain Admins"
[Profiles]
path = /mnt/md0/samba_shares/Profiles
read only = no
admin users = @"PHM\Domain Admins"
[Accounts]
comment = PHM Accounts
path = /mnt/md0/samba_shares/Accounts
admin users = @"PHM\Domain Admins"
read only = no
valid users = @"PHM\Domain Users"
[Director-sec]
comment = Director-Sec Share
path = /mnt/md0/samba_shares/Director_sec
admin users = @"PHM\Domain Admins"
read only = no
[Director-ek]
comment = Director-ek Share
path = /mnt/md0/samba_shares/Director-ek
admin users = @"PHM\Domain Admins"
read only = no
[Edu_data]
comment = Edu-data Share
path = /mnt/md0/samba_shares/Edu_data
admin users = @"PHM\Domain Admins"
read only = no
[PlymouthData]
comment = PlymouthData Share
path = /mnt/md0/samba_shares/PlymouthData
admin users = @"PHM\Domain Admins"
read only = no
[PP4]
comment = PP4 Share
path = /mnt/md0/samba_shares/pp4
admin users = @"PHM\Domain Admins"
read only = no
[PP5]
comment = PP5 Share
path = /mnt/md0/samba_shares/PP5
admin users = @"PHM\Domain Admins"
read only = no
[Primary]
comment = Primary Share
path = /mnt/md0/samba_shares/Primary
admin users = @"PHM\Domain Admins"
read only = no
[secdata]
comment = secdata share
path = /mnt/md0/samba_shares/secdata
admin users = @"PHM\Domain Admins"
read only = no
[STORE]
comment = Store Share
path = /mnt/md0/samba_shares/STORE
admin users = @"PHM\Domain Admins"
read only = no
[Vol_data]
comment = Vol_data Share
path = /mnt/md0/samba_shares/Vol_data
admin users = @"PHM\Domain Admins"
read only = no
[samba_backups]
comment = PHM Samba AD Backups
path = /mnt/md0/samba_shares/samba_backups
admin users = @"PHM\Domain Admins"
read only = no
[ITWERKS]
comment = ITWERKS Admin Share
path = /mnt/md0/samba_shares/ITWERKS
admin users = @"PHM\Domain Admins"
read only = no
[test]
path = /mnt/md0/samba_shares/test
read only = no
admin users = @"PHM\Domain Admins"
[test2]
path = /home/itwerks/testshare
read only = no
My /etc/krb5.conf:
[libdefaults]
default_realm = PHM.PLYMOUTHHISTORY.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
My /etc/nsswitch.conf:
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Results of getent group:
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,itwerks
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:itwerks
floppy:x:25:
tape:x:26:
sudo:x:27:itwerks
audio:x:29:pulse
dip:x:30:itwerks
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:itwerks
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-timesync:x:102:
systemd-network:x:103:
systemd-resolve:x:104:
systemd-bus-proxy:x:105:
input:x:106:
crontab:x:107:
syslog:x:108:
netdev:x:109:
messagebus:x:110:
uuidd:x:111:
ssl-cert:x:112:
lpadmin:x:113:itwerks
lightdm:x:114:
nopasswdlogin:x:115:
whoopsie:x:116:
mlocate:x:117:
ssh:x:118:
avahi-autoipd:x:119:
avahi:x:120:
bluetooth:x:121:
scanner:x:122:saned
colord:x:123:
pulse:x:124:
pulse-access:x:125:
rtkit:x:126:
saned:x:127:
itwerks:x:1000:
sambashare:x:128:itwerks
vboxusers:x:129:itwerks
gdm:x:130:
geoclue:x:131:
ntp:x:132:
winbindd_priv:x:133:
postfix:x:134:
postdrop:x:135:
group policy creator owners:x:10004:
enterprise admins:x:10002:
domain admins:x:10000:
schema admins:x:10005:
domain users:x:10001:
dnsadmins:x:10003:
Results of getent passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time
Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network
Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd
Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip
daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management
daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech
Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
itwerks:x:1000:1000:itwerks,,,:/home/itwerks:/bin/bash
gdm:x:121:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
geoclue:x:122:131::/var/lib/geoclue:/bin/false
sshd:x:123:65534::/var/run/sshd:/usr/sbin/nologin
ntp:x:124:132::/home/ntp:/bin/false
postfix:x:125:134::/var/spool/postfix:/bin/false
ekerstens:*:10002:10001:Elizabeth Kerstens:/home/ekerstens:/bin/sh
mbeddoes:*:10010:10001:Madelyne Beddoes:/home/mbeddoes:/bin/sh
sbrindley:*:10006:10001:Sherrie Brindley:/home/sbrindley:/bin/sh
mthackston:*:10008:10001:Mary Thackston:/home/mthackston:/bin/sh
swilson:*:10009:10001:Shannon Wilson:/home/swilson:/bin/sh
administrator:*:10001:10001:Administrator:/home/Administrator:/bin/sh
hnielsen:*:10007:10001:Heidi Nielsen:/home/hnielsen:/bin/sh
jburroughs:*:10017:10001:Jim Burroughs:/home/jburroughs:/bin/sh
mmccann:*:10003:10001:Melody McCann:/home/mmccann:/bin/sh
lryder:*:10005:10001:Leslie Ryder:/home/lryder:/bin/sh
jburns:*:10004:10001:Janet Burns:/home/jburns:/bin/sh
research1:*:10014:10001:Research 1:/home/research1:/bin/sh
store:*:10015:10001:Store User:/home/store:/bin/sh
phmadmin:*:10016:10001:PHM Admin:/home/phmadmin:/bin/sh
intern1:*:10011:10001:Intern 1:/home/intern1:/bin/sh
intern2:*:10012:10001:Intern 2:/home/intern2:/bin/sh
intern3:*:10013:10001:Intern 3:/home/intern3:/bin/sh
itwerks:*:10000:10001:it werks:/home/itwerks:/bin/sh
Status of the smbd, nmbd, and winbind daemons:
● smbd.service - LSB: start Samba SMB/CIFS daemon (smbd)
Loaded: loaded (/etc/init.d/smbd; bad; vendor preset: enabled)
Active: active (running) since Tue 2016-09-20 11:27:07 EDT; 4h 58min ago
Docs: man:systemd-sysv-generator(8)
Process: 16736 ExecStop=/etc/init.d/smbd stop (code=exited,
status=0/SUCCESS
Process: 16891 ExecStart=/etc/init.d/smbd start (code=exited,
status=0/SUCCE
CGroup: /system.slice/smbd.service
├─16908 /usr/sbin/smbd -D
├─16909 /usr/sbin/smbd -D
├─16911 /usr/sbin/smbd -D
└─17092 /usr/sbin/smbd -D
Sep 20 11:27:07 phmsrv01 systemd[1]: Starting LSB: start Samba SMB/CIFS
daemon
Sep 20 11:27:07 phmsrv01 smbd[16891]: * Starting SMB/CIFS daemon smbd
Sep 20 11:27:07 phmsrv01 smbd[16891]: ...done.
Sep 20 11:27:07 phmsrv01 systemd[1]: Started LSB: start Samba SMB/CIFS
daemon
Sep 20 11:27:07 phmsrv01 smbd[16908]: [2016/09/20 11:27:07.830678, 0]
../lib/
Sep 20 11:27:07 phmsrv01 smbd[16908]: STATUS=daemon 'smbd' finished
starting
● nmbd.service - LSB: start Samba NetBIOS nameserver (nmbd)
Loaded: loaded (/etc/init.d/nmbd; bad; vendor preset: enabled)
Active: active (running) since Tue 2016-09-20 11:27:21 EDT; 4h 58min ago
Docs: man:systemd-sysv-generator(8)
Process: 16785 ExecStop=/etc/init.d/nmbd stop (code=exited,
status=0/SUCCESS
Process: 16944 ExecStart=/etc/init.d/nmbd start (code=exited,
status=0/SUCCE
CGroup: /system.slice/nmbd.service
└─16963 /usr/sbin/nmbd -D
Sep 20 11:27:21 phmsrv01 nmbd[16944]: ...done.
Sep 20 11:27:21 phmsrv01 systemd[1]: Started LSB: start Samba NetBIOS
nameserv
Sep 20 11:27:21 phmsrv01 nmbd[16963]: [2016/09/20 11:27:21.069255, 0]
../lib/
Sep 20 11:27:21 phmsrv01 nmbd[16963]: STATUS=daemon 'nmbd' finished
starting
Sep 20 11:27:44 phmsrv01 nmbd[16963]: [2016/09/20 11:27:44.518048, 0]
../sour
Sep 20 11:27:44 phmsrv01 nmbd[16963]: *****
Sep 20 11:27:44 phmsrv01 nmbd[16963]:
Sep 20 11:27:44 phmsrv01 nmbd[16963]: Samba name server PHMSRV01 is now a
lo
Sep 20 11:27:44 phmsrv01 nmbd[16963]:
Sep 20 11:27:44 phmsrv01 nmbd[16963]: *****
● winbind.service - LSB: start Winbind daemon
Loaded: loaded (/etc/init.d/winbind; bad; vendor preset: enabled)
Active: active (running) since Tue 2016-09-20 11:27:29 EDT; 4h 58min ago
Docs: man:systemd-sysv-generator(8)
Process: 16840 ExecStop=/etc/init.d/winbind stop (code=exited,
status=0/SUCC
Process: 17024 ExecStart=/etc/init.d/winbind start (code=exited,
status=0/SU
CGroup: /system.slice/winbind.service
├─17043 /usr/sbin/winbindd
├─17044 /usr/sbin/winbindd
├─17054 /usr/sbin/winbindd
├─17093 /usr/sbin/winbindd
└─17218 /usr/sbin/winbindd
Sep 20 11:27:29 phmsrv01 systemd[1]: Starting LSB: start Winbind daemon...
Sep 20 11:27:29 phmsrv01 winbind[17024]: * Starting the Winbind daemon
winbin
Sep 20 11:27:29 phmsrv01 winbind[17024]: ...done.
Sep 20 11:27:29 phmsrv01 systemd[1]: Started LSB: start Winbind daemon.
Sep 20 11:27:29 phmsrv01 winbindd[17043]: [2016/09/20 11:27:29.606830, 0]
../
Sep 20 11:27:29 phmsrv01 winbindd[17043]: initialize_winbindd_cache:
clearin
Sep 20 11:27:29 phmsrv01 winbindd[17043]: [2016/09/20 11:27:29.645601, 0]
../
Sep 20 11:27:29 phmsrv01 winbindd[17043]: STATUS=daemon 'winbindd'
finished
ls -la of my main share directory:
ls -la /mnt/md0/samba_shares/
total 172
drwxrwxrwx+ 19 itwerks itwerks 4096 Sep 19 21:31 .
drwxrwx--- 11 itwerks itwerks 4096 Sep 18 14:14 ..
drwxrwxrwx+ 3 itwerks itwerks 36864 Sep 18 13:11 Accounts
drwxrwxrwx+ 30 itwerks itwerks 4096 Sep 18 13:14 Director-ek
drwxrwxrwx+ 47 itwerks itwerks 4096 Sep 18 13:14 Director_sec
drwxrwxrwx+ 2 itwerks itwerks 4096 Oct 29 2010 Edu_data
drwxrwxrwx+ 21 itwerks itwerks 4096 Sep 18 18:37 home
drwxrwxrwx+ 11 itwerks itwerks 4096 Sep 18 20:45 ITWERKS
drwxrwxrwx+ 62 itwerks itwerks 4096 Sep 18 13:39 PlymouthData
drwxrwxrwx+ 2 itwerks itwerks 4096 Sep 18 14:16 pp4
drwxrwxrwx+ 3 itwerks itwerks 4096 Sep 18 13:58 PP5
drwxrwxrwx+ 5 itwerks itwerks 4096 Oct 29 2010 Primary
drwxrwxrwx+ 7 itwerks itwerks 4096 Sep 18 16:39 Profiles
drwxrwxrwx+ 2 itwerks itwerks 4096 Sep 18 02:19 samba_backups
drwxrwxrwx+ 51 itwerks itwerks 4096 Sep 18 14:16 secdata
drwxrwxrwx+ 17 itwerks itwerks 4096 Jul 29 2013 server01
drwxrwxrwx+ 3 itwerks itwerks 4096 Sep 18 14:17 STORE
drwxrwxrwx+ 2 itwerks itwerks 4096 Sep 19 22:21 test
drwxrwxrwx+ 3 itwerks itwerks 4096 Nov 29 2013 Vol_data
I am at a loss as to what I'm doing wrong here, please advise. If further
information is needed I'm happy to provide it Thanks in advance for any
help, it is greatly appreciated.
Kind Regards,
JS
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jason Secord via samba
issues, though I'm unclear as to exactly why these problems have occurred
and would love an explanation if anyone can offer one.
I was using mdadm to create a RAID 1 array, formatting it ext4 and storing
all of the data that samba was serving on /dev/md0. The two drives that
make up the array are hosted by an LSI MegaRaid controller, though they are
not configured within it's interface. After carefully troubleshooting
every step in the process of setting share permissions and ACLs I decided
to create a test share on the system drive. I copied one of the problematic
directories from the raid array to my home folder and was immediately able
to access it as a Domain User... So something about the RAID array is
causing the failure. I've since moved all of the shared data to the system
drive and am moving on to other tasks but I'd really like to get it moved
back to the array.
What is going on here? The system drive is hosted by the same
controller... I've successfully used RAID arrays and mdadm to host shares
at other locations. I'd really love to understand what's going awry in
this setup.
Kind regards,
JS
Rowland Penny via samba
Jason Secord via samba <sa...@lists.samba.org> wrote:
> So it seems that I have identified the source of all of my permissions
> issues, though I'm unclear as to exactly why these problems have
> occurred and would love an explanation if anyone can offer one.
>
> I was using mdadm to create a RAID 1 array, formatting it ext4 and
> storing all of the data that samba was serving on /dev/md0. The two
> drives that make up the array are hosted by an LSI MegaRaid
> controller, though they are not configured within it's interface.
> After carefully troubleshooting every step in the process of setting
> share permissions and ACLs I decided to create a test share on the
> system drive. I copied one of the problematic directories from the
> raid array to my home folder and was immediately able to access it as
> a Domain User... So something about the RAID array is causing the
> failure. I've since moved all of the shared data to the system drive
> and am moving on to other tasks but I'd really like to get it moved
> back to the array.
>
> What is going on here? The system drive is hosted by the same
> controller... I've successfully used RAID arrays and mdadm to host
> shares at other locations. I'd really love to understand what's
> going awry in this setup.
>
> Kind regards,
>
> JS
>
Your raid setup may be the main culprit here, but your Samba setup
isn't helping.
Can I suggest a few alterations ?
Remove the gidNumber from these groups:
group policy creator owners
enterprise admins
schema admins
dnsadmins
Remove the uidNumber from this user:
administrator
Add this line to smb.conf:
username map = /etc/samba/user.map
Then create the user.map
nano /etc/samba/user.map
!root = PHM\Administrator PHM\administrator Administrator
administrator
Remove all the instances of 'admin users' & 'valid users' from the
shares. Use Windows ACLs instead, see here for more info:
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
Try running 'getfacl /mnt/md0/samba_shares/Accounts'
Rowland
Rowland Penny via samba
Jason Secord <i...@plymouthhistory.org> wrote:
> Hi Rowland,
>
> I've already removed all "admin users" and "valid users" entries from
> my smb.conf, they ended up there after hours of confusion trying to
> drill down to the root of the problem.
>
> To remove the aforementioned UID/GIDs, I can do that via the tab in
> ADUC, correct? Is there a document best practices when applying UNIX
> attributes to accounts?
You can do it with ADUC, or you can use ldb or ldap tools or ADSI edit.
>
> I haven't encountered any mention of creating a user.map in the
> documentation, nor have I ever created one in the past. Is this
> something that is considered a best practice a well? Can you point
> me to any documentation on user.maps?
Not too sure about the documentation, There is some in 'man smb.conf',
but it is easier to describe it to you.
On a Samba AD DC, Administrator gets mapped to root automatically, but
on a domain member it isn't. There are two schools of thought here,
one is to give Administrator a uidNumber, but I don't recommend this.
If you do give Administrator a uidNumber, it becomes just another
Unix user with just the same permissions as any other user and it
breaks the DC. The other option is to use a 'username map', this will
do what the DC does and maps Administrator to the root user.
> I will make this adjustments
> tonight and update you along with the results of that getfacl command
> you requested.
>
> I have applied ACLs to all shares already.
Jason Secord via samba
*Apparently I accidentally replied directly to you instead of the list,
this is from a couple days ago...*
First off, thanks again for your help, your insight is invaluable.
I have completed the changes you suggested:
I've used ADUC to remove the NIS Domain and UID/GID number from the
following Users/Groups:
- group policy creator owners
- enterprise admins
- schema admins
- dnsadmins
- Administrator
I've added "username map = /etc/samba/user.map" to my smb.conf
I've created /etc/samba/user.map
ls -la /etc/samba/user.map
-rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
cat /etc/samba/user.map
!root = PHM\Administrator PHM\administrator Administrator administrator
Here is the output of the getfacl command you requested I run:
sudo getfacl /mnt/md0/samba_shares/Accounts
getfacl: Removing leading '/' from absolute path names
# file: mnt/md0/samba_shares/Accounts
# owner: itwerks
# group: domain\040admins
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::rwx
Regards,
JS
On Thu, Sep 22, 2016 at 1:35 AM, Jason Secord <i...@plymouthhistory.org>
wrote:
> I ran another test of a share on the raid array after making the changes
> you suggested Rowland. I reset the ACLs on /mnt/md0/samba_shares/test as
> outlined in the wiki and set the default group to domain admins. I
> executed setfacl commands g=rwx and chgrp domain admins, then added the
> directory to my smb.conf and ran "smbcontrol all reload-config". I then
> logged in to a Windows box as administrator and set ACLs for my test domain
> user account, allowing full control in both share permissions and the
> security tabs, applied settings and closed the snap-in.
>
> I then logged in to another machine as my test user and tried to access
> the new share and still received access denied.
>
> I'd be oh so happy if this thread ends and the raid controller isn't the
> root cause of this issue, but my gut says it must be as shares that I
> copied from the array to the system drive retained the ACLs I had set
> previously and we're accessible without modification. I just wish I could
> find some indication that this is a known issue, my Google fu fails to
> reveal any evidence supporting the theory.
>
> JS
>
> On Sep 21, 2016 9:02 PM, "Jason Secord" <i...@plymouthhistory.org> wrote:
>
>> Hi Rowland,
>>
>> First off, thanks again for your help, your insight is invaluable.
>>
>> I have completed the changes you suggested:
>>
>> I've used ADUC to remove the NIS Domain and UID/GID number from the
>> following Users/Groups:
>>
>> - group policy creator owners
>> - enterprise admins
>> - schema admins
>> - dnsadmins
>> - Administrator
>>
>> I've added "username map = /etc/samba/user.map" to my smb.conf
>>
>> I've created /etc/samba/user.map
>>
>> ls -la /etc/samba/user.map
>> -rw-r--r-- 1 root root 73 Sep 21 20:53 /etc/samba/user.map
>>
>> cat /etc/samba/user.map
>> !root = PHM\Administrator PHM\administrator Administrator administrator
>>
>> Here is the output of the getfacl command you requested I run:
>>
>> sudo getfacl /mnt/md0/samba_shares/Accounts
>> getfacl: Removing leading '/' from absolute path names
>> # file: mnt/md0/samba_shares/Accounts
>> # owner: itwerks
>> # group: domain\040admins
>> user::rwx
>> group::rwx
>> other::rwx
>> default:user::rwx
>> default:group::rwx
>> default:group:domain\040admins:rwx
>> default:mask::rwx
>> default:other::rwx
>>
>> Regards,
>>
>> JS
Jason Secord via samba
I ran another test of a share on the raid array after making the changes
you suggested Rowland. I reset the ACLs on /mnt/md0/samba_shares/test as
outlined in the wiki and set the default group to domain admins. I
executed setfacl commands g=rwx and chgrp domain admins, then added the
directory to my smb.conf and ran "smbcontrol all reload-config". I then
logged in to a Windows box as administrator and set ACLs for my test domain
user account, allowing full control in both share permissions and the
security tabs, applied settings and closed the snap-in.
I then logged in to another machine as my test user and tried to access the
new share and still received access denied.
I'd be oh so happy if this thread ends and the raid controller isn't the
root cause of this issue, but my gut says it must be as shares that I
copied from the array to the system drive retained the ACLs I had set
previously and we're accessible without modification. I just wish I could
find some indication that this is a known issue, my Google fu fails to
reveal any evidence supporting the theory.
Kind Regards,
JS
On Thu, Sep 22, 2016 at 7:21 PM, Jason Secord <i...@plymouthhistory.org>
Rowland Penny via samba
Jason Secord via samba <sa...@lists.samba.org> wrote:
If you look at the result of the 'getfacl' command, you can see that
the share belongs to itwerks:Domain Admins, they both have 'rwx'
permissions and 'others' is supposed to also get 'rwx' permissions, but
I don't think it is working this way. Can I suggest you read this wiki
page:
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
Rowland
Jason Secord via samba
I set up the shares and triple checked everything when I last reset ACLs.
JS
On Sep 23, 2016 2:51 AM, "Rowland Penny via samba" <sa...@lists.samba.org>
wrote:
> On Thu, 22 Sep 2016 19:23:05 -0400
Rowland Penny via samba
Jason Secord via samba <sa...@lists.samba.org> wrote:
> Mediawiki is throwing an error at this moment but I followed that
> page when I set up the shares and triple checked everything when I
> last reset ACLs.
>
> JS
I have asked somebody to look into the wiki problem, wait until it
comes back again and then have another look.
The problem from my perpective is that I don't fully understand just
who is supposed to have access to the share. At the moment, only
'itwerks' and 'Domain Admins' are shown by getfacl, I would expect some
other user or group to be mentioned.
Jason Secord via samba
From the top down, I'm going to try and cover every step involved in the
wiki and give you as much info as I can in the hope that we can get this
issue resolved, or at least determine that there is nothing wrong with my
config and that the underlying array has to be the weak point, even if none
of us know why.
*Step 1: Filesystem support*
We need the filesystem to support "user and system xattr name spaces" and
have ACL and XATTR support. Per the wiki ext4 "uses all the required
options by default" so editing the entry in fstab is not required. My
kernel must also have "CONFIG_EXT4_FS_SECURITY=y" and
"CONFIG_EXT4_FS_POSIX_ACL=y" enabled.
*The RAID array's filesystem:*
/dev/md0: UUID="593d0107-cea3-42f5-a451-8b548a1df6f0" TYPE="*ext4*"
*The RAID array's fstab entry:*
/dev/md0 /mnt/md0 ext4 defaults 0 0
*My kernel config:*
~$ cat "/boot/config-`uname -r`" | grep CONFIG_EXT4_FS_SECURITY
*CONFIG_EXT4_FS_SECURITY=y*
~$ cat "/boot/config-`uname -r`" | grep CONFIG_EXT4_FS_POSIX_ACL
*CONFIG_EXT4_FS_POSIX_ACL=y*
*Step 2: Test the filesystem*
*Make sure the package "attr" is installed:*
attr is already the newest version (1:2.4.47-2).
*Test xattr support **(all commands executed on the /dev/md0 filesystem)**:*
*Run the following commands as root to test xattr support:*
root@phmsrv01:/mnt/md0# touch test.txt
root@phmsrv01:/mnt/md0# setfattr -n user.test -v test test.txt
root@phmsrv01:/mnt/md0# setfattr -n security.test -v test2 test.txt
*The commands returned the correct output:*
root@phmsrv01:/mnt/md0# getfattr -d test.txt
# file: test.txt
user.test="test"
root@phmsrv01:/mnt/md0# getfattr -n security.test -d test.txt
# file: test.txt
security.test="test2"
*Run the following commands as root to test extended ACL support:*
root@phmsrv01:/mnt/md0# touch test.txt
root@phmsrv01:/mnt/md0# setfacl -m g:adm:rwx test.txt
*The commands returned the correct output:*
root@phmsrv01:/mnt/md0# getfacl test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
group::r--
group:adm:rwx
mask::rwx
other::r--
*Step 3: Check Samba ACL Support:*
smbd -b | grep HAVE_LIBACL
*HAVE_LIBACL*
*Step 4: As this is a Domain Member Server, check that extended ACL support
exists in the smb.conf:*
itwerks@phmsrv01:~$ cat /etc/samba/smb.conf | grep acl_xattr
vfs objects = acl_xattr
itwerks@phmsrv01:~$ cat /etc/samba/smb.conf | grep "map acl inherit"
map acl inherit = yes
itwerks@phmsrv01:~$ cat /etc/samba/smb.conf | grep "store dos attributes"
store dos attributes = yes
itwerks@phmsrv01:~$
*Step 4: Ensure admin accounts have SeDiskOperatorPrivilege assigned:*
itwerks@phmsrv01:~$ net rpc rights list accounts -U'PHM\administrator' -I
phmadc01.phm.plymouthhistory.org
PHM\Administrator
SeDiskOperatorPrivilege
PHM\itwerks
SeDiskOperatorPrivilege
PHM\Domain Admins
SeDiskOperatorPrivilege
Since I've already gone through the process of creating directories and we
know that Domain Admins have Full Control I'm skipping those steps from the
wiki.
Step 5: Create a Share:
I added the "Accounts" directory to my smb.conf again:
[RAID-Accounts]
comment = PHM Accounts Directory on RAID ARRAY
path = /mnt/md0/samba_shares/Accounts
read only = no
and the executed *sudo smbcontrol all reload-config*
*Step 6: Setup share permissions:*
I logged in to a Windows 7 workstation that is joined to the domain as user
"itwerks", a member of the Domain Admins group with the
SeDiskOperatorPrivilege set. I opened the Computer Management snap-in and
connected to PHMSRV01.
(NOTE: I've always experienced this, and it hasn't ever seemed to cause any
harm so I've ignored it, but the first time I expand the "System Tools"
tree, or any tree for that matter, when connected to a Samba machine using
this snap-in, I receive an error that the RPC service is unavailable.
After clearing the notification the snap-in proceeds to connect to the
Samba machine and I am able to proceed without issue. I have no idea why
this happens.
I viewed the shares on PHMSRV01, right-clicked "RAID-Accounts", chose
"Properties" and set Share Permissions. "Everyone" is visible already and
has Full Control (I have left that setting untouched). I generally require
only a couple individual users to be able to access a given share, and in a
few exceptions all Domain Users are authorized to do so, but in this case
for testing I have added "testuser" and given them Full Control. I then
saved the changes by clicking OK.
*Step 7: Set ACLs on the root of a share:*
I opened the "RAID-Accounts" Properties again, chose the "Security" tab,
and added "testuser" with Full Control. hit OK, OK again to save changes.
I am fairly certain I executed the aforementioned steps properly, and that
I followed the wiki meticulously while doing so. If I am mistaken please
do let me know where I went astray.
*TESTING 123:*
getfacl shows the updated ACLs and 'testuser' has rwx permissions for the
share.
itwerks@phmsrv01:~$ sudo getfacl /mnt/md0/samba_shares/Accounts
[sudo] password for itwerks:
getfacl: Removing leading '/' from absolute path names
# file: mnt/md0/samba_shares/Accounts
# owner: itwerks
# group: domain\040admins
user::rwx
user:itwerks:rwx
user:testuser:rwx
group::rwx
group:domain\040admins:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:itwerks:rwx
default:user:testuser:rwx
default:group::rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::rwx
So, time to test from another workstation as 'testuser'...
I logged in to another workstation as 'testuser', a member of the Domain
Users group. In Windows Explorer I navigated to \\PHMSRV01 and all shares
are visible. I double-click "RAID_Accounts", the share I've been working
with above, and receive the following error:
*Windows cannot access \\phmsrv01\RAID-Accounts*
*You do not have permission to access \\phmsrv01\RAID-Accounts. Please
contact your network administrator blah blah blah.*
If I copy this directory from the RAID array to the system drive, change
the path in my smb.conf, and reload samba it will immediately be accessible.
Unless there's something obvious I'm overlooking, which I readily admit is
entirely possible, or there's some hidden nuance only a true greybeard
would immediately recognise, I'm at a complete loss as to what is causing
this behaviour.
Please advise.
Kind and Gracious Regards,
JS
Rowland Penny via samba
This is very strange, getfacl is now showing testuser with rwx
permissions, so the user should be able to connect to the share.
I have been doing some work with ZFS and this has the facility to pass
ACLs through the RAID to the underlying filesystem, I wonder if you
need something similar ?
Jason Secord via samba
The odd thing is... It's not mdadm that's acting up, at least not in my
opinion, as I have had two other domain member servers at other locations
that host shares on filesystems that are raid arrays built with mdadm. The
only difference between those boxes and this one is the LSI MegaRaid
controller. Now I'm no expert when it comes to this controller, the box
shipped with all the drives attached to it... And I did have a heck of a
time figuring out how to get Ubuntu on the thing... These drives that make
the array aren't even configured in its firmware. I'm really surprised by
this problem and struggling to understand what is causing it.
At this point I feel like I've got two options, either pull all the data
off of them, zero them out and configure them as a new array within the
controller itself, and then test it all again... Or punt and try and get
LSI on the phone to explain this wizardry.
I'm baffled... But at least you've confirmed my config is correct.
JS
On Sep 25, 2016 4:55 AM, "Rowland Penny via samba" <sa...@lists.samba.org>
wrote:
> On Sun, 25 Sep 2016 00:49:25 -0400
Rowland Penny via samba
Jason Secord via samba <sa...@lists.samba.org> wrote:
> Re: zfs...
>
> The odd thing is... It's not mdadm that's acting up, at least not in
> my opinion, as I have had two other domain member servers at other
> locations that host shares on filesystems that are raid arrays built
> with mdadm. The only difference between those boxes and this one is
> the LSI MegaRaid controller. Now I'm no expert when it comes to this
> controller, the box shipped with all the drives attached to it... And
> I did have a heck of a time figuring out how to get Ubuntu on the
> thing... These drives that make the array aren't even configured in
> its firmware. I'm really surprised by this problem and struggling to
> understand what is causing it.
>
> At this point I feel like I've got two options, either pull all the
> data off of them, zero them out and configure them as a new array
> within the controller itself, and then test it all again... Or punt
> and try and get LSI on the phone to explain this wizardry.
>
> I'm baffled... But at least you've confirmed my config is correct.
>
> JS
>
Well, if two setups work and another doesn't, I would suspect any
differences between them and if the only real difference is the LSI
controller, then I would be pointing the finger at that until proved
otherwise.
Achim Gottinger via samba
/mnt
/mnt/md0
/mnt/md0/samba_shares